Xref: alice comp.databases.oracle.server:54813 comp.databases.oracle.tools:27177 Path: alice!news-feed.fnsi.net!cyclone.i1.net!newsfeed.enteract.com!newsfeed.berkeley.edu!newsfeed.stanford.edu!paloalto-snf1.gtei.net!news.gtei.net!inet16.us.oracle.com!not-for-mail From: Stevie Newsgroups: comp.databases.oracle.tools,comp.databases.oracle.server Subject: Re: Firewalls and Oracle Date: Thu, 24 Jun 1999 21:31:53 -0400 Organization: Oracle Corporation. Redwood Shores, CA Lines: 105 Message-ID: <3772DC09.378C78A1@hotmail.com> References: <377140D9.34204712@commerce.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------CD8CBA3CF631284A1311D8ED" X-Trace: inet16.us.oracle.com 930274120 21408 140.87.47.126 (25 Jun 1999 01:28:40 GMT) X-Complaints-To: usenet@inet16.us.oracle.com NNTP-Posting-Date: 25 Jun 1999 01:28:40 GMT To: Scott Dunbar X-Mailer: Mozilla 4.5 [en] (WinNT; U) X-Accept-Language: en --------------CD8CBA3CF631284A1311D8ED Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Scott,

My 2cents....

When you make a connection to the listener, say on port 1521 by default, the listener then turns around and spawns a port for the client to connect on, anywhere from port 10000-65000.   The idea here is that the listener just listens, that's it...Now with a firewall, what you have done is probably opened 1521 so the connection makes it to the listener, but the port that the listener spawns to the client machine never makes it to the client , so you probably received ora 12203, which is normal...

You have a few options here...
The supported/most secure way is to use a sqlnet-compatible firewall, there are about a dozen or so available.
If you are using Oracle8, you could set the use_shared_socket parameter to force Oracle to communicate always on port 1521, but there drawsbacks...

Scott Dunbar wrote:

Hi,
    We are attempting to connect from an Oracle client to an Oracle server (all in the 8.1.x series) through a firewall.  With a little experimentation it appears that the Oracle client does an initial connect() to the TNS listener but then an additional connection is made using an O/S assigned port.   The problem is this second connection.  Because it is O/S assigned it cannot be configured into the firewall.  For a variety of reasons we have issues with using a "Net-8" compatible firewall (Oracle's solution).

    Is the number of this "return" port configurable?  I'm guessing not as that could have the side affect of limiting (to one!) the number of clients that can be run on a particular box.  Alternatively, is there a way to convince Oracle to use only one connection?  As a side note, doesn't this scheme eat up file descriptors twice as fast as using the single connection?  On most O/S's this isn't a big deal anymore but I guess SunOS 4.x (without DBE) scared me into being conservative with fd's.

    Thanks in advance for any information.

--
Scott Dunbar                            Global Commerce Systems
dunbar@commerce.com                     Boulder, CO, USA
                                        HTML mail ok
 

--------------CD8CBA3CF631284A1311D8ED--